BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?


Malware & Threats

Recent Zyxel NAS Vulnerability Exploited by Botnet

A Mirai-like botnet has started exploiting a critical-severity vulnerability in discontinued Zyxel NAS products.

A recently disclosed critical-severity vulnerability in discontinued Zyxel NAS devices is already exploited in botnet attacks, the Shadowserver Foundation warns.

Tracked as CVE-2024-29973, the issue is described as a code injection flaw that can be exploited remotely without authentication. It was introduced last year, when Zyxel patched CVE-2023-27992, a similar code injection bug.

“While patching this vulnerability, they added a new endpoint which uses the same approach as the old ones, and while doing so, implemented the same mistakes as its predecessors,” explains Outpost24 security researcher Timothy Hjort, who discovered and reported the security defect.

According to the researcher, an attacker can send crafted HTTP POST requests to a vulnerable device to exploit the vulnerability for remote code execution.

Late last week, the Shadowserver Foundation revealed that it had started seeing the first exploitation attempts targeting this vulnerability by a Mirai-like botnet. Technical details and proof-of-concept (PoC) code targeting this flaw are publicly available.

Zyxel released patches for CVE-2024-29973 and three other bugs in early June, but warned that the affected products, namely NAS326 and NAS542, were discontinued in December 2023.

According to Censys, as of June 27, there were roughly 1,200 Zyxel NAS326 and NAS542 devices exposed to the internet, mainly concentrated in Europe. However, it is unclear how many of these are vulnerable.

“Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support, despite the products already having reached end-of-vulnerability-support,” the company warned.

Advertisement. Scroll to continue reading.

Firmware version V5.21(AAZF.17)C0 resolves the flaws for NAS326 devices. For NAS542 products, Zyxel addressed the bugs in firmware version V5.21(ABAG.14)C0.

Users are advised to update their devices as soon as possible and to consider replacing them with supported products.

Threat actors, including botnet operators, are known to have targeted vulnerabilities in Zyxel products for which patches had been released.

*Updated on June 28 with data from Censys.

Related: Edge Devices: The New Frontier for Mass Exploitation Attacks

Related: CISA Warns of Progress Telerik Vulnerability Exploitation

Related: DreamBus Botnet Exploiting RocketMQ Vulnerability to Delivery Cryptocurrency Miner

Related: Serious Vulnerability Exposes Admin Interface of Arcserve UDP Backup Solution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights